On 2026-05-06, Tom Smyth <[email protected]> wrote:
> is there a more elegant way of adding private trusted cas to openBSD...
not at present.
> is there a
>
> I used to simply
> cat ca-chainfil.pem >> /etc/ssl/cert.pem
>
>
>
>
> in the past (distant past) modifying that cert.pem I had encountered issues
> with upgrades
sysmerge should do it, but the sdiff(1) UI isn't super-clean for this.
> is there a simple way to do /etc/ssl/cert.pem.local
> i.e.
>
> cat ca-chainfil.pem >> /etc/ssl/cert.pem.local
>
> any thoughts ? advice welcome
I think the best simple way to handle this would be if we include a
second copy of cert.pem in baseXX.tgz (e.g. in /etc/examples), so that
it's extracted directly, rather than etc.tgz/sysmerge. If we did that,
you'd be able to do this in /upgrade.site:
cd /etc/ssl && cat /etc/examples/cert.pem cert.local > cert.new &&
mv cert.new cert.pem
While there are some other possible reasons to modify cert.pem (i.e.
untrusting certain CAs), adding a local one has to be by far the most
common.
